WHAT IS OAUTH? 





QUICK HISTORY 


LESSON 





BACK IN THE BAD OLD DAYS 


Hey user, would you like me to 
connect to your MySpace and 
post updates on your behalt? 


_ Sure, how do | set that up? 


Easy! Just 

give me your MySpace password! 
| promise not to 

do anything bad with it... 


~ 





OA U T h is a protocol that 


allows users to 
\e, UT n O § | Ze (or “connect accounts’) 


from one website 
to another, 


without sharing passwords. 





HOW DO | OAUTH? 





THREE ROLES INVOLVED 


API Consumer API Provider 





SETUP: CONSUMER REGISTERS WITH PROVIDER 


Hi, I'd like to use your API to get 
information about your users. 


I'm OK with that if the users are. 
Here's your API key & secret. 
It you use this API for bad things, 
I'll revoke them to 
disable your API access! 





STEP 1: USER ARRIVES AT CONSUMER 


Oh, looks like | can login with 


© Google! I'd like to do that, please. 


4 In order to log you in, | need to ask 
Google who you are. Google won't 
<= tell me anything about you unless 


you give permission, so |m going 
to send you to Google now. 





STEP 2: USER REDIRECTED TO PROVIDER 


Looks like this other website wants 
to know some of your information. 


© Is that OK with you? 


They just want your email address. 
Oh sure, that's fine. 


OK, I'll give you this secret code, and send you back to 


2 What do they want to know? 


the site. They'll know what to do with the code. 





STEP 3: USER GIVES CODE TO CONSUMER 


Alright, | talked to Google, ana 
they gave me this secret code. 
Can | log in now? 


Perfect! Just give me a second, 
and then you can log in. 





STEP 4: CONSUMER EXCHANGES CODE FOR TOKEN 


This code proves that the user gave 
permission to let me see their data. 


Yep, that code matches the one | just 
gave the user! OK, I'm willing to give 
you the data that the user approved. 
That secret code was just temporary, 
though: take this token instead, and 
store it as securely as you would 
store the user's password! 





STEP 5: CONSUMER MAKES API REQUESTS 


¢ Valid API token? 


¢ Matches an active user | know about? 

¢ Consumer's API access has not been revoked? 
¢ User has not revoked permission? 

¢ Data requested matches what user allowed? 


Yep, looks good! Here's the data you asked for: 





RESULT: SMOOTH INTEGRATION 


| got your email from Google, so 


now | know who you are. 
© You can login now! 


&> Yay, that was easy! 


Actually, it was really complicated, 


but I'm glad it looked easy to you “—>) 


EE 





